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Abstract. In deduction modulo, a theory is not represented by a set of axioms but 
by a congruence on propositions modulo which the inference rules of standard deductive 
systems — such as for instance natural deduction — are applied. Therefore, the reasoning 
that is intrinsic of the theory does not appear in the length of proofs. In general, the 
congruence is defined through a rewrite system over terms and propositions. We define 
a rigorous framework to study proof lengths in deduction modulo, where the congruence 
must be computed in polynomial time. We show that even very simple rewrite systems 
lead to arbitrary proof-length speed-ups in deduction modulo compared to using axioms. 
As higher-order logic can be encoded as a first-order theory in deduction modulo, we 
also study how to reinterpret, thanks to deduction modulo, the speed-ups between higher- 
order and first-order arithmetics that were stated by Godel. We define a first-order rewrite 
system with a congruence decidable in polynomial time such that proofs of higher-order 
arithmetic can be linearly translated into first-order arithmetic modulo that system. We 
also present the whole higher-order arithmetic as a first-order system without resorting to 
any axiom, where proofs have the same length as in the axiomatic presentation. 



1. Introduction 

The study of the length of the proofs produced by as logical system is of course in- 
teresting from a practical point of view. Indeed, shorter proofs seem to be easier to find 
out — either by hand or automatically — , to share and to maintain. Automated provers may 
be able to find proofs that are longer than proofs done by humans, they have nevertheless 
bounded capacities. Even if computing power is always increasing, so that one is no longer 
afraid to use SAT-solvers within verification tools (mainly because worst cases do not often 
occur in practice) , it is not conceivable to build an automated theorem prover that produces 
only proofs of non-elementary length. 

This stu dy has a lso a theoretical interest. As remarked by Parikh in the introductory 
paragraph of Godel ( 19861 ). "the celebrated P=NP? q uestio n can itself be thought of as 



a speed-up question." (See also Cook and Reckhow . 19791 .) This explains the research 
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for speed-ups between proof systems — for instance, it is show n that Frege systems have 
an exponential speed-up over resolution for propositional logic (|Busd . Il987r i — and for new 
formalisms who se deductive sys tems provide smaller proofs, su ch as for i nstan ce the calculus 
of structures of Briinnlei ( 2003T) w.r.t. the sequent calculus of Gentzenl ( 19341) fsee Bruscoli 
and G uglielmi J2009l ) . The goal is to find a so-called super proof system ( Cook and Reckhow , 
mi), which can build polynomially sized proofs of each propositional tautology, or to refute 



the existence of such a system, in which case NP^coNP, which would imply P^NP. In this 
paper, the length of a proof corresponds to its number of steps (sometimes called lines), 
whatever the actual size of the propositions appearing in them is. 

Proofs are rarely searched for without context: mathematical proofs rely on set theory, 
or Euclidean geometry, or arithmetic, etc.; proofs of program correctness are done using 
e.g. pointer arithmetic and/or theories defining data structures (chained lists, trees, ...); 
concerning security, theories are used for instance to model properties of encryption algo- 
rithms. In this paper, we are therefore interested in the length of proofs in a theory. This 
length may depend on several factors. First, the str ength of the t heory plays a key role, as 
shown by the following result: it has been proved by Parikhl ( 1973 ) that second-order arith- 
metic provides shorter proofs than first-order arithmetic. (This result was stated earlier by 
Godcl' (1936), unfortunately without proof.) This was generaliz ed to all ord ers by iKrajicekl 



(1989), and was proved for the true language of arithmetic by iBussI (jl994h . (The former 
results used an axiomatization of arithmetic using ternary predicates to represent addition 
and multiplication.) The theorem proved by Buss is stated as follow: 

Theorem 1.1 ( Busd (1994, Theorem 3)). Let i > 0. Then there is an infinite family T of 
Y\® -propositions such that 
(1) for all P £J, Zih P 



(2) there is a fixed k € N such that for all P G T , Zi^\ \ 

(3) there is no fixed k £ N such that for all P G J- , Z{\ 



k steps 



k steps 



P 
P. 



where Zi corresponds to the i + l st -order arithmetic (so Zq is in fact first-order arithmetic), 
and Zi I k steps P means that P can be proved in at most k steps within a schematic system 
— i.e. a Hilbert-type (or Frege) system with a finite number of axiom schemata and inference 
rules — for i + l st -order arithmetic. (In fact, Buss proved this theorem also for weakly 
schematic systems, i.e. schematic systems in which every tautology can be used as an axiom, 
as well as generalizations of axioms, but we will not use this fact here.) 

The length of the proofs depends also on the presentation of the theory. For instance, 
if we present the theory T by all the propositions that holds in that theory ({P : T \= P}), 
then for all true propositions P there is a one-step "proof", namely using the axiom P. Of 
course, we can argue whether those are really proofs. Indeed, in that case, proof checking 
consists in checking that P holds in T, and is therefore undecidable in general. On the 
other hand, using a finite first-order axiomatization of the theory does not seem optimal, 
in particular when computations are involved. For instance, a proof of 2 + 2 = 4 should be 
straightforward and should not contain more than one step that consists in checking than 
computing 2 + 2 makes 4. Then, it seems important to distinguish what part of a proof 
corresponds to computation and what part is real deduction, so as to better combine them. 
Such an ide a is referred to as Poincare's principle. Deduction modulo f Dowek. Hardin, 
and Kirchner, 20031 ) is a formalism deriving from this principle. The computational part of 
a proof is put in a congruence between propositions modulo which the application of the 
deduction rules takes place. This leads for instance to the sequent calculus modulo and to 
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the natural deduction modulo. The congruence is often defined as a set of rewrite rules that 
can rewrite terms but also atomic propositions: indeed, one wants for instance to consider 
the definition of the addition or multiplication using rewrite rules over terms as part of the 
computation, but also the following rewrite rule: 

x x y = — > x = OV y = 

which rewrites an atomic proposition to a proposition, so that the following simple natural- 
deduction-modulo proof of t x t = can be deduced from a proof it of t = 0: 

7T 

V-i — - ~ - » txt = — M = 0Vt = ' 
t x t = 

Proposition rewriting is essential to be able to encode expressive t heori es in deduction 
modulo, as was done for fi r st-ord er arithmetic ( Dowek and Werner . 20051 ). Zermelo's set 



theory ( Dowek and Miquell. boolih. simple type theory fa.k.a. higher-order logic) (Dowek 



Hard in, and Kirchner, l200ll ) or pure type systems ( Cousineau and DowekT ~ 2007 ; Burel . 
20081 L 



As computations are not part of the deduction in the proof, they should not be counted 
in the length of the proof. Indeed, a proof in deduction modulo consists only of the deductive 
steps, and the computational steps are replayed during proof checking. However, this is too 
general if we are concerned with the notion of proof length. Because rewriting is Turing- 
complete, a whole proof system can be encoded in the computational part. This leads to the 
same problem as using all propositions of the theory as axioms: proof checking is no longer 
decidable. We therefore need a more rigorous framework to study proof length in deduction 
modulo. We argue that we should only call a proof an object that can be checked feasibly, 
that is, in polynomial time. This is of course an arbitrary criterion (we could for instance 
have chosen another complexity class), but it seems natural. Fur thermore, this is requested 
if one wants to link proof theory with complexity theory. Indeed, ICook and Reckhow 



defined a framework in which a proof system for a theory T is an onto function computable 
in polynomial time from the words over some alphabet (representing the proofs) to the set 
of propositions that hold in T. Starting from a more conventional proof system, the idea is 
to map a correct proof with its conclusion, and an incorrect proof to any proposition of T ■ 
As the function must be computable in polynomial time, proof checking in the real system 
has to be feasible. In deduction modulo, this requirement implies that the congruence must 
be checkable in polynomial time. In this paper, we will consider rewrite systems that are 
confluent and that have a polynomial derivational complexity, i.e. the number of rewrite 
steps of a term of size n must be bounded by a polynomial of n. 

Deducti on modulo is logica lly equivalent to the axiomatic theory corresponding to the 
congruence (|Dowek et al.l . l200i Proposition 1.8), but proofs are often considered as simpler, 



because the computation is hidden, letting the deduction clearly appear. Proofs are also 
claimed to be shorter for the same reason. Nevertheless, this fact was never quantified. 
Besides, it is possibl e, in deduction mod ulo, to build proofs of Higher-Order Logic using 
a first-order system ( Dowek et al. . l200lh . Using this, a step of higher-order resolution is 



completely simulated by a step of ENAR, the resolution and narrowing method based on 
deduction modulo. It looks like this is also the case for the associated sequent calculi, 
although this was not clearly stated. Therefore, it seems reasonable to think that deduction 
modulo is able to give the same proof-length speed-ups as the ones occurring between i + l st - 
and z th -order arithmetic. This paper therefore investigates how to relate proof-length speed- 
ups in arithmetic with the computational content of the proofs. 
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Our first result is to show that even a very simple rewrite system can lead to arbitrary 
proof-length speedups (Theorem 12. 3p . Then, we show how to encode everything concerning 
higher orders up to i > into a confluent rewrite system HOi with polynomial derivational 
complexity. Modulo this rewrite system, we show that it is possible to stay in first-order 
arithmetic while preserving the proof lengths of higher-order arithmetic (Theorem 14. 5[) . 
This shows that the origin of the speed-up theorem of Buss can be, at least to some extend, 
expresse d as simple comput ations. Note that HOi is not the restriction of the encoding of 
HOL by Dowek et al.l ( 200ll ) up to the order i, because we were not able to prove that its 
derivational complexity is bounded. 



In this paper, we are also concerned with extending the work of iDowek and Werner 
in which the whole first-order arithmetic is expressed as a rewrite system. In 
that case, we speak of a purely computational presentation of the theory. Thus, we show 
how to express higher-order arithmetic as a purely computational theory. This permits 
to recover desirable properties such as disjunction and witness properties for higher-order 
Heyting arithmetic (i.e. intuitionistic arithmetic). This is not just the combination of the 
encod ing of higher orders and the formulation of first-order arithmetic by lDowek and Werner 
(2005), because the latter does not preserve the length of proofs. We define higher-order 
arithmetic as a purely computational theory HHAf lod which has the same speed-up over 
first-order arithmetic as the axiomatic presentation. Unfortunately, the rewrite system 
of this presentation is not terminating. The rule that breaks the termination is the one 
encoding the induction principle, which is not surprising, because this is where the strength 
of arithmetic lies. We therefore advocate the use of a new inference rule corresponding to 
it. 



In 120071 . we also looked at the relations between computations and proo f-leng th speed- 



ups. We work in a much more rigorous framework here. For instance, in 120071 . we only 
stated that the rewrite systems we were using were "simple" , whereas we request her e that 
they are confluent and with a polynomially bounded derivational complexity. Also, in 20071 . 
in the translation of Z% to modulo, there remained axioms in which function symbols 
of order i were involved, which is no longer the case here. 

The next section will present the minimal knowledge needed on deduction modulo to 
make the paper self-contained, it defines the notion of polynomially bounded derivational 
complexity, and shows that arbitrary proof-length speed-ups naturally occur thanks to 
deduction modulo, even for very simple rewrite system with polynomially bounded deriva- 
tional complexity. In Section [3] we present proof systems for higher-order arithmetic, and 
we prove that using schematic systems or natural deduction is not relevant w.r.t. arbitrary 
proof-length speed-ups. Then, Section U] presents how to efficiently encode higher orders, 
and then higher-order arithmetic. Finally, in Section [5] we apply these results to investigate 
the origin of the speed-ups in arithmetic. 



2. Proof Speed-ups in Deduction Modulo 



2.1. Rewriting prop ositions. In t his se ction, we recall the definit i on of deduction mod- 
ulo, as introduced by Dowek et al. ( 20031 ) and Dowek and Werner ( 20031 ). In deduction 
modulo, propositions are considered modulo some congruence defined by some rules that 
rewrite not only terms bu t also propositions. We use standard defi nitions, as given b y 
Baader and Nipkow ( 19981 ). and extend them to proposition rewriting ( Dowek et al. . 20031 ). 
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First, let us recall how to build many-sorted first-order propositions (see iGallier . 198d 



Chapter 10), mainly to introduce the notations we will use. A (first-order) many-sorted 
signature consists of a set of function symbols and a set of predicates, all of them with 
their arity (and co-arity for function symbols). We denote by 7~(X, V) the set of terms built 
from a signature S and a set of variables V. An atomic proposition is given by a predicate 
symbol A of arity [ii,..., i n ] and by n terms t±,...,t n £ 7~(£, V) with matching sorts. It 
is denoted A(t\, ... ,t n ). propositions can be built using the following grammaiQ: 

V = ±\ A\V AT \V\/V \ V \\/x.V \ 3x.V 

where A ranges over atomic propositions and x over variables. P Q will be used as a 
syntactic sugar for (P Q) A (Q P), as well as —>P for P _L. Po sitions in a term or a 
prop osition, free variables and substitutions are defined as usual (see Baader and Nipkowl . 



1998). The replacement of a variable x by a term t in a proposition P is denoted by {t/x}P, 



the subterm or subproposition of t at the position p by tip, and its replacement in t by a 
term or proposition s by t[s]p. 

A term rewrite rule is the pair of terms I, r such that all free variables of r appear in 
I. It is denoted I — > r. A term rewrite system is a set of term rewrite rules. A term s 
can be rewritten to a term t by a term rewrite rule I — > r if there exists some substitution 
a and some position p in s such that al = s\p and t = s[ar]p. An atomic proposition 
A(si, . . . , Si, . . . , s n ) can be rewritten to the atomic proposition A(s\, ...,£$,..., s n ) by a 
term rewrite rule I — )■ r if Sj can be rewritten to t« by Z — > r. This relation is extended by 
congruence to all propositions. 

A proposition rewrite rule is the pair of an atomic proposition A and a proposition 
P, such that all free variables of P appear in A. It is denoted A —■ P. A proposition 
rewrite system is a set of proposition rewrite rules. A proposition Q can be rewritten to a 
proposition R by a proposition rewrite rule A — >• P if there exists some substitution cr and 
some position p in Q such that cjA = Qi p and P = Q[crP] p . Semantically, this proposition 
rewrite relation must be seen as a logical equivalence between propositions. 

A rewrite system is the union of a term rewrite system and a proposition rewrite system. 
The fact that P can be rewritten to Q either by a term or by a proposition rewrite rule of 
a rewrite system 1Z will be denoted by A P. The transitive (resp. reflexive transitive) 

closure of this relation will be denoted by — -4 (resp. < > ). 

The derivational length of a term or proposition t w.r.t. a rewrite system 1Z is the 
maximal length of a derivation starting from t using TZ. The derivational complexity of a 
rewrite system TZ is the function that maps a natural number n to the maximal derivational 
length w.r.t. TZ of the terms and propositions of size at most n. In this paper, we are 
interested in rewrite systems that are confluent and whose derivational complexity can be 
bounded by a polynomial. This implies that is decidable in polynomial time. 

2.2. Natural deduction modulo. Using some equivalence -(—^— >■ defined by a term and 

n 

propos ition rewrite system TZ. we can define natural deduction modulo as do Dowek and 
Werner ( 20031) • It s inferen c e rule s are represented in Figure [D They are the same as the 



one introduced by lGentzenl (|19341 ). except that we work modulo the rewrite relation. Leaves 



= is used for definitions. 
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[A] 

C " 



=>-e — C—iiC^A^B 



A-i — 79 — if C ^ AAB A-e if C O AABorCABAA 



C * i4 TC 



.4 



[4 [5] 

\/_; ^2- if C < — > AvBorC < — ► BvA ^ n n 
V1 C TC K V-e— — ^LifC^AVB 

•T?/ / t-1 A if B < — ► Vx. A and y is not free in A A » * 

WjJ^LZllL » \/-e ^-if A-^-Vi. C and B ^{t/zjC* 

v 1 ^> nor in the assumptions of the proof B ^ TC 



above 



\{y/x}A] 



q ; M. if A <A+ 3x. C and B ^{t/x\C r> n if ^x. A and y is not free in C 

A n n 3 e ■ 



^-y nor in the assumption of the proof 

above except {y/x}A 



Figure 1: Inference Rules of Natural Deduction Modulo 1Z. 

of a proof that are not discarded by some inference rules (on the contrary to A in =>-i for 
instance) are the assumptions of the proof. 

The length of a proof is the number of inferences used in it. We will denote by T r^jr^ P 
the fact that there exists a proof of P of length at most k using a finite subset of T (T 
can be infinite) as assumptions. In the case where 1Z = 0, we are back to pure natural 
deduction, and we will use T \j7 P. 



Definition 2.1 (Compatible presentation (jDowek et all 120031 . Definition 1.4)). An ax 



iomatic presentation T of a theory is said compatible with a rewrite system 1Z if: 

• P^Q implies r P P <=> Q; 

• for every proposition P £ T, we have P. 

For instance, B =^ A is compatible with A — > A V B: it possible to prove A 44> A V B 
assuming B A with the proof: 

B (hi) B =» A 
w . A (i) AV5 (ii) A (iii) A 

, v -7vT n v " e A (m) 

t" 1 A^AyB ( ^ "ZV^X (U) 

A-i 



A^ AVB 

(other cases of equivalent propositions can be derived from it), and reciprocally, B A has 
the following proof modulo A — > A V B: 

B d) 
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Given a rewrite system, a compatible presentation always exists, and one can show 
that proving modulo a rewrite system is the same as provin g without modulo but using a 
compatible presentation as assumptions ( Dowek et al. . 20031 . Proposition 1.8). 



Proof lengths in finite compatible presentations are essentially the same: 

Proposition 2.2. LetY\ andT2 be two finite presentations compatible with the same rewrite 
system 7Z. It is possible to translate a proof of length n in T\ into a proof of length 0(n) in 

r 2 . 

Proof. We show that every axiom of T\ can be translated by proof of bounded depth in 
T 2 . By definition of compatibility, for all P £ Tj, we have P n P. Then, whenever the 
congruence is used in that proof, we replace it by a cut with the corresponding proof in r 2 
thanks to compatibility. For instance, if we have 

V-p with A^Vx. C and B^\t/x}C 

we know by compatibility that there exists proofs tti of r 2 H A 44> Vx. C and 7r 2 of 
r 2 ^ B 44> {t/x}C, so that we have 

7T1 

. A 4» Vx. C w 
712 H'l A^Mx.C A 

B^{t/x}C ^" e — y^TC 
A-e r , . — — V-e ■ 



{t/x}C ^B {t/x}C 
^ B 

Transforming all applications of the congruence in that way, we obtain a proof of T 2 P. 
As T\ is finite, there is a maximum K on the length of such proofs, and a proof of length n 
in T\ can be transformed into a proof of length at most K x n in T 2 by replacing an axiom 
P by its corresponding proof in T 2 . □ 



2.3. A Simple Proof-Length Speed-up. Because part of the proofs are put into the 
congruence, it is quite easy to get arbitrary proof-length speed-ups in deduction modulo, 
even for very simple rewrite systems. 

Consider the proposition rewrite system 

Add 1 I Ad d(0,y,y)^T 

1 Add(s(x),y, s(z)) — >• Add(x,y,z) 

It is easy to prove that the derivational complexity of Add is polynomially bounded. Fur- 
thermore, it is confluent, and < — > is clearly decidable in polynomial time. However, proving 

Add 

modulo Add leads to an arbitrary proof-length speed-up compared to proving using a finite 
compatible presentation. 

Theorem 2.3. There is an infinite family J- of propositions such that for all finite presen- 
tation r compatible with Add, 

(1) for all P £ J 7 , Fp P 
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(2) for all PeP, P 

(3) there is no fixed k G N suc/i /or all P G J 7 , T 1 ^, at P. 

Proof. Let n denote s(- • • s( O)---) for n G N. Consider the family of propositions (Add(i, i, 2£)) igN - 

n times 

Clearly, (1) holds. Since Add((i, i, 2i) — -> Add(0, i, i) — >T, we have the following proof 

Add Add 

modulo Add: 

T-i AddUi, i, 2i) T 

Add(i,i,2i) Add 

Hence, (2) holds. Consider the presentation containing the two axioms \/x. Add(x, O, x) and 
Vx y z. Add(s(x),y, s(z)) <^ Add(x,y,z). It is easy to prove that this finite presentation is 
compatible with Add. To prove Add(i, i, 2i) in this presentation, we need to use the second 
axiom at least i times, so that the length of the proofs cannot be bounded by a constant. 
Now consider another finite presentation compatible with Add, Proposition 12.21 tells us that 
the length of the proofs cannot be bounded by a constant in that presentation neither. □ 

Note 1. This is not true for infinite compatible presentations, since such presentations can 
contain T . 



3.1. Schematic systems. We recall here, using Buss' terminology 19941 . what a schematic 



system consists of. It is essentially an Hilbert-type (or Frege) proof system, i.e. valid 
propositions are derived from a finite number of axiom schemata using a finite number 
of inference rules. Theorem 11.11 is true on condition that proofs are performed using a 
schematic system. 

Given a many-sorted signature of first-order logic, we can consider infinite sets of 
metavariables a 1 for each sort i (which will be substituted by variables), of term variables r l 
for each sort i (which will be substituted by terms) and proposition variables A(x\, . . . , x n ) 
for each arity [i\, . . . , i n ] (which will be substituted by propositions). 

Metaterms are built like terms, except that they can contain metavariables and term 
variables. Metapropositions are built like propositions, except that they can contain propo- 
sition variables (which play the same role as predicates) and metaterms. 

A schematic system is a finite set of inference rules, where an inference rule is a triple 
of a finite set of metapropositions (the premises), a metapropositions (the conclusion), and 
a set of side conditions of the forms a? is not free in $ or s is freely substitutable for a 3 in 
where $ is a metaproposition and s a metaterm of sort j. It is denoted by 



$i • • • $ r . 



(R) 



An inference with an empty set of premises will be called an axiom schema. An axiom 
schema without metaproposition is an axiom. 
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3.2. i th -order arithmetic. i th -order arithmetic (Zj-i) is a many-sorted theory with sorts 
0, . . . , i — 1 and the signature 

0:0 + : [0; 0] -> = : [0; 0] 

s:[0}^0 x:[0;0]^0 + ' 

The schematic system we use here consists of the following inference r ules: 
15 + 2 x i axiom schemata of classical logic. We take those used by Gentzenl (1934, 
Chapter 5) to prove the equivalence of his formalisms with an Hilbert-type proof system: 



(A 



A ^ A 
A B A 
(A^A^B 
(A^B^C) = 
(A^ B)^{B = 
{A A B) 
(A AS) 
{A^B)^ (A 

A : 

B 

>C)^{B 
(A^B = 



=> A^B 
B^A^C 
C)^A 
=> A 



C 



(A 



=> 5 
=> C ) A 
(A VB) 
^(iVB) 

- 1) ,4 => _L 
1) A^ B 



B AC) 



C 



T 



(I) 
(K) 
(W) 
(C) 
(B) 
(ProjO 
(Proj r ) 
(Pair) 

(Injr) 
(Case) 
(Contradiction) 
(EFSQ) 
(T) 
(UI) 



(Va J . A(a J )) A(r J ) 

(t- 7 is freely substitutable for a- 7 in A(a J )) 

A(r j ) 3a J '. A(a J ) (EI) 

(t- 7 is freely substitutable for a 3 in A(cr')) 

A V (A => _L) (TND) 

1 + 2 x i inference rules of classical logic. Again, we take thouse used by iGentzenl 
(|l934h : 

(MP) 
(Gen) 

(Part) 



A 



A => I? 



I? 



A 



A \/a 3 . S(a J ) 
5(/3 J ') A 



(f3 j is not free in A => Va- 7 . ^(a- 7 )) 



(Z3- 7 is not free in (3a- 7 . B(a j )) A) 



(3a J . 5(a J )) => A 
2 identity axiom schemata. They define the particular relation 



Va°. a 



a 



Va u /3' 



13° A(a°) A(/3°) 



(Refl) 
(Leibniz) 
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7 Ro binson's axioms. They are the axiom s defining the function symbols of arith- 
metic ( Mostowski. Robinson, and Tarski . 19531 ): 



Vq°. -, = s(q°) (0 ± s) 

Va°/3°- s(a°) = s(/3°) => a = /3° (Inj s ) 

Va°. (-. a = 0) => 3/3°. a = s(/3°) (Onto,) 

Va°. a° + = a° (+0) 

Va°/3°- a° + s(/3°) = s(a° + /3°) (+s) 

Va°. a°x0 = (xO) 

Va°/3°- «° x s(/3°) = a x /3° + a (xs) 
i + 1 induction and comprehension axiom schemata. 

A(0) =>• (V/3°. A(/3°) =>• v4(s(/3 ))) Va°. A(a°) (Ind) 

For all < j < i - 1, 

3a j+1 . Vft. P j e j a j+1 ^ A{P j ) (a j+1 is not free in A{j3 j )) (Camp*) 

o 

From this point on, we will denote by Z^—\ hr P the fact that there exists a proof of P 
of length at most k in this schematic system, i.e. P can be derived using at most k instances 
of these inference rules. Abusing notations, we will write Zj-i hjf^ P to say that there is a 
proof of P in natural deduction of length at most k using as assumptions a finite subset of 



instances of the axiom schemata (jRefip to ( Comp- 5 ) . 



3.3. Translations between schematic systems and natural deduction. Buss' theo- 
rem is true in schematic systems, but deduction modulo is defined for natural deduction. 
It is important to get bounded translations between these formalisms to show that the 
speed-ups we will be considering are not artifacts of the deductive system. 

3.3.1. From Z\ P- to Z{ P- . We want to translate a proof in the schematic system of Zi into a 
pro of in pu re natural deduction using as assumptions instances of the axiom schemata (IReflj) 



to ( Comp J ). 

For the axiom schemata and inference rules of classical logic, we use the same translation 
as Gentzen, for instance the axiom schema ((C|) is translated into the natural deduction proof 

A (iii) A B C (i 



(A=>B=>C)=>B=>A=>C 
and the inference rule ([Part]) into 



0) 



B(fi) (ii) B(pi) => A 

3oP.B(oti)(i) A~ 
3-e -t M 

=M : — 0) 

3ai. B(<*i)=>A 
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(note that the side condition ensure that it is possible to consider that what will be sub- 
stituted for f3 is free in A and the assumptions of the proof above -B(/3- ? ) =>■ A). All these 
inference rules have a translation whose length does not depend on the propositions finally 
substituted in the proof. 

In a schematic system proof, there is also a finite number of instances of the axiom 
schemata for identity, Robinson's axioms and induction and comprehension schemata. We 
keep these instances as assumptions in natural deduction, so that we obtain a proof in natu- 
ral deductio n using as assumptions a finite subset of instances of the axiom schemata (IRefll) 



to ( Comp^ ) , and whose length is linear compared to the schematic system proof: 



Proposition 3.1. It is possible to translate a proof of length n in the schematic system for 
Zi into a proof of length 0(n) in (pure) natural deduction using assumptions in Z±. 



N S 

3.3.2. From Zi \— to Zi I— . In this section, we consider a proof of P in natural deduction, 



using as assumption finite instances of (IRefl|) to ( Comp-' ) in the language of Z% . We translate 
it into a proof in the schematic system for Zi. 

This is essentially a generalization o f the translation from the A-calculus to combinatory 
logic (see Curry. Feys. and Craig . 19581 ). We define mutually recursively two functions by 



induction on the inference rules: T transforms a proof of P in natural deduction using 
assumptions T into a proof of P in the schematic system ^ to ([Part]) plus T. T A transform 
a proof of P in natural deduction using assumptions T, A into a proof of A =?> P in the 
schematic system (jl]) to (jPartp plus T. The translation can be found in the appendix. 

It can be verified that this transfor mation is at most exponential in the length of 
proofs. Due to ICook and Reckhow! (|l979l . Corollary 3.4), we could have found, at least for 



the propositional part, a polynomial translation. Nevertheless all we need in this paper is 
the fact that the increase of the proof length in the translation is bounded. 

Proposition 3.2. There exists some constant K such that it is possible to translate a proof 
of length n in the (pure) natural deduction using assumptions in Zi into a proof of length 
0{K n ) in the schematic system for Zi. 

Zi^k P ~> Z i l S 0(A . fc) P 

Proof. Let K be the maximum number of steps that appear in addition of the recursive 
calls in the definition of T^ (note that it does not depend on ^4). First, if a proof w does 
not contain =^-i, V-e or 3-e, then IT^zu)! < A|ro|. We prove that by induction on w. Let 
us detail =$~e only, using notations of the appendix, the other cases being similar: 

\T A (w)\ = \T A K)| + |T4 (vr 2 ) | + 7 

< K \k\\ + K \k2\ + K by induction hypothesis, and by definition of K 
<K{\iti\ + |vr 2 | + 1) 

< K\w\ 

Now let us show that in all cases |T^(tz7)| < K\ m V This is also proved by induction on 
w. We only detail the case of =>~i. \Ta (ro) | = |T,4 (Tb (n)) \ . By induction hypothesis, 
|Tb (n) | < A'1 71 "!. Furthermore, T# (ir) does contain neither =^>-i, V-e nor 3-e, so that 
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|T A (T B (tt)) I < K\T B (tt) 
the bound for T. 



< K x A"M = = i^M. From this result, we can deduce 

□ 



4. Higher-order arithmetic as a first-order theory modulo 



4.1. Encoding higher orders using classes. First, we translate a proof in the schematic 
system for Z{ into a proof in natural deduction modulo with as assumptions a finite presen- 
tation using only first-order function symbols, resorting on the congruence to get the higher 
orders again. 

To do so, we first consider the theory consisti ng in th e axioms in ([Refill to (fxsp , so 
without the axiom schemata (|LeibnizP, (|Ind|) a nd (Cornp-'). Those are replaced by three 
new a xioms flLeibniz a "^| ) , fllndqxD and (Compaq)- To do so, we use the work of IKirchner 



(|2007l ) which permits to express first-order theories using a finite number of axioms. The 
idea is to transform some metaproposition A(t%, . . . ,t n ) used in an axiom schema into a 
proposition of the form (ti, . . . , t n ) e 7 where 7 is some term representing what proposition 
is actually substituted for A. Note that is long known that using classes permits to have 
finite first-order axiomatization, but Kirchner's work shows how to handle the classes with 
a simple rewrite system of weak explicit substitutions. 

Following Kirchner's method, we add new sorts I for lists and c for classes, as well as 
new function symbols and predicate 



V 
Si 

■ 1.13 



J 

M 



nil 



e 7 



[j;l]^l 
[0;0] -+c 

b;i + i] - 



u 
n 

D 



31 



V) : c 
V* : [c] - 
a : [c] - 
e:[£;c] 

nil for the appropriate j m . 



[c;c 
[c;c 
c;c 



Note 



(oti, . . . , a n ) will be syntactic sugar for ot\ :: 
that we only need one sort of class, and not one for each orders, as we could have done. 
That way, all substit utions a re done in the same setting. We change the axiom schemata 
(jLeibnizll . (llndj) and (Cornp^) into the following axioms: 

V 7 C . Va°/3°- a° = /?° =>• («°) ef^ (/3°) e 7 C 
(V/3°. </3°) e 7 C (s(/3 )} e 7 C ) Va°. (a ) e 7 C 



V7 C .(0) e 7' 
For all < j < i, 



(Leibniz Q 
(Ind Q 



V 7 C . 3a j+l . V/3 j . /3 j e j a j+1 (f3 j ) e f 



(Comp; 



We also need wea k-substituti on axioms which permit to decode the classes fsee Kirch- 



ner, 



,|2007|, Definition 4). 



Va- 5 . a 1 [nil] 3 


= a- 7 




(WS nil 


VoA Vif V[a j :: j l l ] j 


= a J 




(WSp 


VoA V/3 fc . Vl £ . S j (a j )[f3 k :: k l e ] j 


= a j [l e ] j 




(WS SJ 


Va°. S (a )[Z<] 




) 


(WS S 


Va°. V/3°. V/ £ . (a + /3 )[^] 


= a°[l e }° + 




(WS+ 


Va°. V/3°. V/'. (a x (3°)[l e ]° 


= a°[l e ]° x 


f3°[l £ ]° 


(WS X 


Va°. V/3°. V/ € . / £ e =(a°,/3°) 


&a [l e ]° = 


--pY] 


(WS= 
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t[nil] j 
V[t l]i 
Si{n)[t :: k l]i 
s(n)[l}° 

(h + t 2 )[l}° 

(t 1 xt 2 )[l}° 

I £ = (tl,t 2 ) 



I e e j (h,t 2 ) -+h[l\>' t 2 [l}i'+ l 

I e ,4 U B ->• I e iV I e B 
I e An B I e A Al e B 
I e AD B ->• I e A=> I e B 

I e V j {A) -> 3x. x v? I e A 
I e C j {A) ->• \/x. x :: j I e A 



t 
t 

n[l]i 
s(n[l}°) 

h[i}° + t 2 [l} 
h[i}°xt 2 [l] 
h[if = t 2 [l}° 

x G J compi +1 (^4) — > x v? nil e A 
for all < j < i, < k < i and < f < i 



Figure 2: Rewrite rules of ~HOi 

VoA Vft +1 . VZ £ . l e e e j (a j ,ft +1 ) ^ oP[l E ]> G J ft +1 [l e ] j+1 

Va c . V/3 C . Vl e . I 1 e a c U /3 C ^ l e e a c V l l e /3 C 

Va c . V/3 C . Ml 1 . I 1 e a c n ft l e e a c Al e e ft 

Va c . V/3 C . Vl e . l e e a c D ft e a c e j3 c 

Vl e . i f e0«l 

Va c . VZ £ . (Z £ e V j (a c ) & 3ft. ft :: j f e a c ) 

Va c . VZ*. e C J '(a c ) V/3 J '. /3 J ' Z £ e a c ) 

We call Z™ s the theory consisting of all the axioms from ([Ren]) to QWS VJ | ), but not the 
axioms schemata (|Leibniz|) . (jlndp and (Comp£). 

Proposition 4.1. TTie theory Zf s is a conservative extension of Z^. 

Proof. This is the Proposition 4 of Kirchner ( 20071 ). □ 



(WS eJ -) 

(WS V ) 
(WS A ) 
(WS=>) 
(WS ± ) 
(WS 33 ) 
(WS VJ ) 



Now, we use skolemization to transform ( Comp^. ) (see Ivan Dalenl . I1989L Section 3.4). 
We add new function symbols comp 3 : [c] — > j for all < j < i. We then consider the 
skolemized version of ( Comp^ ) : 



V 7 C . V/3 J . ft € J comp> +1 (Y) O (/3 J ) e 7 



(Comp- 



We denote by Zf k the theory Z™ s where ( Comp^. ) is replaced by ( Comp-' 



sk 



Proposition 4.2. The theory Z? k is a conservative extension of Zf s . 



Proof. According to Ivan Dalenl (|l989l . Corollary 3.4.5), Zf U { jCompfl )} is a conservative 
extension of Zf s . But ( Comp^ ) can be proved in Z? k so that we can drop it. □ 

We can then transform each axiom where a higher-order function symbol or predicate 
appears, as well as axioms decoding classes, into rewrite rules, and work modulo the resulting 
rewrite system. We denote by HOi the rewrite system defined in Figure [2l This rewrite 
system has the following properties: 

• It is finite (for a given i). 

• It is terminating in a polynomial number of steps (Proposition 14. 3| h 
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• It is confluent: it terminates and it is locally confluent, since the only critical pairs, of 



the form f(ti,...,t n )+—f(ti, 

riOi 



M]j7^/(*iM]> • • • ^n[nil\) for / G {+; x;s}, 

riOi 



are easily joinable. 

• It is left-linear, i.e. variables appears only once on the left-hand side of each rule. 
Before showing that TiOi has a polynomially bounded derivational complexity, let us 
first see how TiOi wor ks and, in partic ular, how it can be used to encode propositions as 
terms. Proposition 2 of Kirchner ( 20071 ) says that, for all propositions P of the language of 

it is possible to prove 



„-th 



order arithmetic, and for all finite lists of variables cx[ 



3E C . Vaf •■■or 



Jn 



(a 



j i 



1 ) • • • ) 



In \ 



eE c ^P 



Moreover, the proof of this proposition shows us how to construct the witness for E c . We 



will denote it by Ep 



iKn<< 



WW 



' n , and it is therefore defined as: 

7110 ! 7 

-- S j (\\a j \\ a ?>-' ai ") 
-- 

= 5°(||0|| Q 2 2 '-' Q " n ) 

= 8(\\t\\°i 1 >~' a &) 



il+t 2 ll<-' 


n 3n 
u n 








hxt 2 \\ a ?>- 


n in 


= iitiir* 


-,Q!„ x 




^h=t 2 




= = (IN 


U 1 ,-,c4r 


,||t 2 ||<'-^ n ) 










AM * 1 '"" *) 



E? 1 ' 



if oP ^ oP l 



31 



cy 31 fy Jn 


= 


n> 3n 


Q J1 


••l u n 








^PAQ 


- Ef- 




n " 










^PVQ 


- Ef>- 




of* 1 

U Eg 1 










rJl n 3n 

MaK P 


= v(E a ; 


,< 






if a-' 




Qp n \ 

• i "n J 


rv jl rJ" 


= Vi(E a p 


A 1 






if oP 




a-'"!- 



Ql. 



Then, one can prove that (t\, . . . , t n ) e E p 



>{ti/ai, . . . ,t n /a n }P. For instance, 



consider the proposition P = x = Q\/3y. x G° y. Then Ep equals = (1°, 5°(0)) U V 1 ( G°(5' (l c 
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and (t) e Ef, can be rewritten to t = V Bx 1 . t €° i 1 : 

( t ) e Ef, — ► (t) e = (1°, S») V (t) e V 1 (e°(5°(l ), l 1 )) 

A (l°[t ::° nil] = S°(0)[t ::° nil}) V 3x\ (x\t) e G°(5°(l°), l 1 ) 

A (t = OH) V 3X 1 . ^(l )^ 1 i: 1 f :: :: mi] G° lV i: 1 f :: :: mi] 

A t = 0V3x 1 . I°[t::°::ra7] e° 
— ► t = VBz 1 . t G° x 1 



Proposition 4.3. T/ie derivational complexity ofHOi is polynomially bounded. 



Proof. Let us note W5j the system HOi without the last rule. WSi is computing the 
application of a substitution to (the encoding of) a proposition. It cannot be applied more 
than the size of the right-hand side of e and the left-hand side of •[•] (by simple induction 
on the derivation). Therefore, the derivational complexity of WSi is linear. Now, note that 
a substitution is blocked by all comp 1 , i.e. comp J (t)[l] cannot be reduced if neither t nor I 
can. Therefore, the last rule of HOi can only be applied to the outermost compos: due to 
the sort constraints, € J cannot appear inside a comp 3 , and if a ^ is transformed into a G J 
by the rule I e € J (ti,i2) —> *i[^P ^ *2[(P' +1 ) the substitution applied to t2 blocks comp 7 " 1 " 1 
if it is its function symbol. Applying WSi can duplicate the initially outermost camp's, 
but not more than the total number of V in the initial term. Once the last rule of %Oi is 
applied to all these copies of the outermost compos, only WSi can be applied. Therefore, 
the derivational complexity of %Oi is polynomially bounded. □ 



The axiom schemata (jLeibnizll . (jlndj) and ( Comp J ) can be replaced by the proofs in 
Figure [3j Note that the replacement for ( Comp J ) does not need extra axioms, because all 
is done in the congruence. 

Let FZ be the theory consisting of (jRefljl . Robinson's axioms (0 ^ s ) to (|xs 



QLeibniz ax P 

and (llnd^D, consisting only of a finite number of axioms, all of them in the language of Zq 



plus the language of Kirchner's classes. A proof 7r of P in the schematic system for Z\ can 
be translated into a proof of P in natural deduction modulo HOi using assumptions in FZ 
whose length is linear compared to the length of it. 

Proposition 4.4. It is possible to translate a proof of length n in the schematic system for 
Zi into a proof of length 0{n) in the natural deduction modulo T~LOi using assumptions in 
FZ. 



P 



FZV- 



P 



0{k) HOi 

Proof. Instances of axiom schemata in the proof in Zi are replaced by the proofs in Figure [31 
whose length is fixed. □ 

This result can also be stated entirely in natural deduction 
Theorem 4.5. For all i > 0, there exists a finite confluent rewrite system with polynomi- 



ally bounded derivational complexity HOi such that for all propositions P, if Zi hjr 



P then 



FZ h 



0(k) HOi 



P. 



Proof. We replace the instance of the axiom schemata (ILcibnizj) . (Ilndp and (Comp-' 
proofs using the axioms ( |Leibniz a "^| ) and QInd aa; D as indicated in Figure El 



by 
□ 
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V- 



V 7 C . V«V°. g° = g =» (a°) ef ^ (ft ) e 7 C gjjgjg 
V " 6 Va°/3°. a = 0° A(a°) => 

(because (a ) e ££ (ar) => tfP) e E x A{x) A(a°) => A(j3°)) 

V7 C .(0) ef 4 (V/3°. (/3°) e 7 C (s(/3 )} e 7 C ) =► Va°. (a ) e 7 C JEd^ 
1(0) =s> (V/3°. A(s(/? ))) Va°. A(a°) 

(because for all t, (t) e E%i x \ —*A{t)) 



p ^ aymp>+^(E x A{x) ) (ii) 



^ 6^ comp^^) (i) 



A-i 



0* G J comp''+ 1 (£^ ) ) ^' G-? compJ +1 (£;^ (:c) ) 



(i) 



0* €^ com^ +1 (^ (l) ) G J com^ +1 (£5 (i) ) 



3-i 



i 3+1 {E x A(x) ) 



Figure 3: Translations of the axiom schemata (|Leibnizp . (jlnd|) and (Comp^ ) 



4.2. Higher-order arithmetic as purely computational theory. We define here higher- 
order arithmetic entirely as a rewrite system modulo w hich inference will be applied. This 
is in line with the work of Dowek and Werner ( 20051 ) who express first-order arithmetic 
as a theory modulo. The idea is to combine this with the rewrite system of the previous 
section, to get a characterization of higher-order arithmetic. Notwithstanding, we will look 
carefully at the length of proo fs in the translations. 

Dowek and Werner (|2005l ) use the following method to introduce the induction schema 
for first-order arithmetic: they add a new predicate N of arity [0] which essentially says 
that an element is a natural number, and thus can be used in the induction schema. N(n) 
can therefore be rewritten to Vp. € p => (Vy. N(y) =4> y £ p => s(y) G p) =>■ n € p. Then, 
function symbols fp yi >—> yn for each proposition P of first-order arithmetic with free variables 

(yi,...,y n ) ->■ P. To prove 



x,yi, 



,Vn 



are added, as well as rewrite rules x € f p 



x,Vl,—,Vr, 



a proposition using induction, we need to know that the variables used in the proof are 
natural numbers, hence quantifiers are relativized with the predicate N (i.e. Vx. P becomes 
Vx. N(x) => P. and 3x. P becomes 3x. Nix) A P). Using this, it is proved ( Dowek 
and Werner, 120051 . Proposition 13) that we obtain a conservative extension of first-order 
arithmetic. Nevertheless, the length of the proofs is not preserved by the relativization. 
Indeed, to translate a proof whose last step is 



V-e- 



7T 

Va. P 
{t/x}P 



we have to transform it into a proof 
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Arithmetic rules: 

pred(0) — > x y — > y 

pred(s(x)) — > x s(x) xy^-xxy + y 

+ y ->■ y Null(0) -> T 

s(x) + y — > s(x + y) Null(s(x)) — > ± 

Axiom schemata: 

x = y— > \/z c . (x) e z => (y) e z x € J comp? +1 {y) — > x :: J m/ e y 
x ::° nil e p 4 (i) e pV ((0) epA Vy. (y) ep^- (s(y)) e p) 
Substitutions and classes: W5j + 

pred(n)[Z]° -> pred(n[Z]°) £ e Null(t) -> A^//(£[£]°) 



Figure 4: Rewrite rules of HI-LA 



mod 



7T 



Vx. 7V(x) P 

V-e ■ 



JV(t) JV(t) {t/x}P 

^ {t/x}P 
The problem is that the length of the proof w depends on the size of t. 

Hence, we use a different approach. Starting from FZ modulo HOi, it remains to orient 
the axioms of FZ into rewrite rules. Axioms (|+0|) to (| x s|) can be easily oriented. To orient 
(jReflj) and ( [Leibniz^] ) , we use the axiom 



Va° (3°. a° = /3 ^ (V 7 C . (a ) e 7 C => (/?°) e 7 C ) (=&/) 
which is equivalent to their conjunction. flOntosD is redundant if the induction principle is 



present, so it can b e drop ped. To encode ( g s ) and ( Inj s ), we use the same technique as 
Dowek and Werner ( 20051 ): we introduce a new function symbol pred : [0] — > and a new 



predicate Null : [0], as well as new axioms defining them: 

pred(0) = (predo) 

Va°. pred(s(a°)) = a (pred s ) 

Null(0) (JVuHo) 

Va°. ^Null(s(a )) {Null s ) 

which can be easily oriented. It remains to orient the induction principle dlnd ax [ ). The 
most problematic part is that this axiom is the universal closure of an implication, whereas 
proposition rewrite rules are compatible with universal closures of logical equivalences. We 
use the fact that B =>■ A is intuitionistically equivalent to A <^ A V B, so that fllnd ax ) is 
equivalent to 

Va° 7 C . <a°) e 7 C & «a°) e 7 C V ((0) e 7 C A (V/3°. e 7 C <s(/3 )} e 7 C ))) (Ind mod ) 

If we do not use (jTNDp as axiom (i.e. if we work in intuitionistic logic), we therefore ob- 
tain a formulation of higher-order Heyting arithmetic through the rewrite system TiTiAf 1 ^ 
defined in Figure HI With this rewrite system, we can linearly simulate higher-order arith- 
metic in deduction modulo: 
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Theorem 4.6. For all i there exists a finite rewrite system l~L'HAf' od such that for all 
propositions P in the language of Z if if Z { \ N k steps P then l N 0(fc) steps nnAmod P. 

Proof. It is sufficient to prove that all instances of the axiom schemata of Zi can be proved 
in a bounded number of steps. 
(jRcfip can be proved by 

(a ) e p c (i) 

=>•-! (l) 

. (a ) e/=> (a ) e p c 

w ■ VP C - <Q°) g P c =» e p c ut) , c . . c 

V-i n p; ^ a = a — >yp ■ ( a ' e P =^ ( a > e P 

Va . cr = a 



(0 / s| is proved using x = y — >• Vz c . (») e 2 (y) e 



w = s(a°) (i) 

V-e — -r— — — — -r— " T-i 



(0) e Null(l°) (s(a )) e iVuZZ(l ) " Nxdl(0) <o> e AM(i°) -i*tf«H(o) — »t 

• -L m <s(a°)> e AT^(1°) -AiV««Z(s(a )) — 

= s(a°)^J- 
V ^ Va°. - = s(a°) 
Let -E jfejTj be = (5 (a°),pred(l )), ( jlnjs ) is proved by 



a ) e p c (i) 

(i) 



s(a°) = s(P°) (i) (a ) e/^ (a ) e p c 
V-e , ; n „ , , „ n ,> V-i 



-e 



(s(a°)) e F^^{s((3 )) e F^ 



W 



S (q0) = g(g) q0 = /gO 

V ^ Va°/?°- s(a°) = s(^°) a = /3° 2>< 



Let ^Stoll = (= (1,^(0)) D 0) D P(= (5(1), s(l))). dOntoH ) is proved by 

. g p c (iii) 

(o) e P c (ii) v i 6 p c ± ( s (y)) £ p c 

^ (0) e p c => (0) e P c (U) 3 = s ^ = s ^ 

V " J 0^0 = 0^J_(i) . 3/3°. g(y) = s(/3°) 

=^- e ; — — r~\ — e — 

3/3°. a° = s(/3°) ^ y e fftel=>s(y) g ^tell 

"? ^0 = 0^ 3/3°. a° = s(/3°) ' -1 Vy. y e £ ^tel 

.. . (0) £ ffo^]AVy. (y) e ^joT^I^ (s(y)) g OntoJ 

. q=° £ ^teg 

Va°. (-. a = 0) => 3/3°. a = s(/?°) 

(|+0D to (|xg|) are easy to prove using the arithmetical rules and the rule for =. 
(jlndj) has the following proof: 
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A-1' 

V-i- 



P(0) (i) Mft. P(ft) =» P(s(ft)) (ii) 
(0) e Ep A V/3°. (/3°) eEf^ (s(/? )) e Pf, 



V-i- 



(cr 



e P? 



Vq°. P(a°) 



P(0) (V/3°. P(/3°) P(s(/? ))) Va°. P(a°) 



( Comp- 7 ) has the following proof: 



ft €■? comp> +1 {E x A ) (i) 



(9= 



A-i 



ft G j comp> +l {E x A ) => (/^') e P^ " 0» e P; 



'.4 



V-i 



3-i 



ft € J com^ +1 (P^) ^ (^) e P^ 
* yft. ft e j comp> +l {E x A ) A(ft) 



(ft) g PI (ii) 

G J ' com^' +1 (P^) 



3a^' +1 . yft. ft G J a J+1 ^(/^ 



□ 



What we obtain is a conservative extension: 



Theorem 4.7. Por all proposition P in the language of Z%, if\~u'HA 7 ? l0d ^ then Z% h P. 

Proof. First, we can show, as do Dowek and Werner ( 20051 ). that adding pred, Null and the 
axioms (predo) to f\Null s \ ) gives a conservative extension. This can be done by Skolemizing 



ft 



which holds 



the proposition Va°. 3/3°. (a = =>• /3° = 0) A (V7 . a = 5(7°) 
in first-order arithmetic, and by int erpreting Null( x) as x = 0. 

Then, we apply the method of iKirchnei which gives a conservative extension. 

Finally we skolemize the axioms corres ponding to t he co mprehension schemata, and thus 
we obtain a conservative extension (see Ivan Dalenl . Il98flh . Finally, we just have to prove 
the equivalence of (|Refl|) and QLeibniz a "^] ) with ( j=rf e /j ); which is easy. 

It can be remarked that the presentation obtained is compatible with HUAf 1 ^, hence 
the conclusion of the theorem. □ 

Compared to HOi, the main issue is that the derivational complexity of TiTiAf 1 od is not 
polynomially bounded — actually, it does not even terminate. The non-termination is due 
to the rule encoding the induction principle, since it can be proved that the complexity of 
li'HA 1 j aod without this rule is polynomially bounded. It is not too surpri s ing, si nce the real 
power of arithmetic lies in this principle. Note that iDowek and Wernerl (|2005l . Remark 1) 
propose a terminating rule to encode the induction principle, but, as said before, proof 
length is not kept. In fact, it can be proved that there is an arbitrary proof-length speed-up 
between the axiomat ic presentation of first-order arithmet ic and the presentation of Dowek 
and Werner: 3a°. a = n can be proved in at most 7 steps in first-order arithmetic, whereas 



it need a pro o f-leng th linear in n in the system of lDowek and Werner . 

Poincare (jl902l ) advocates that everything in first-order arithmetic but the induction 
principle should be presented as computation, because the induction principle represents 
the only real deductive axiom of the theory. Following this idea, we want to keep all rewrite 
rules of 'KHAY loA but the rule for the induction principle, and present this latter rule in 
another w ay. Ins t ead o f using it as an axiom, we can apply the ideas within supernatural 
deduction (Wack, 20051 ) on it. Supernatural deduction consists in transforming proposition 



rewrite rules into new inference rules. It cannot be applied in our case, since V cannot be 
handled by supernatural deduction. However, it instigates the new inference rule 
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Ind-i 



(0) 



e a 



e a 



e a 



e a" 



f3° not free in (t°) e a c 

nor in the assumptions above 



Proving with this new inference rules is equivalent to proving using the axiom ( Ind m0( j ) . 



We obtain a first-order proof system for higher-order arithmetic which is axiom-free, whose 
proofs can be checked in polynomial time, and whose proof lengths are the same as in the 
axiomatic presentations of higher-order arithmetic. 

Note 2. With the rule that we use for arithmetic, we c annot extend the proof of the 
normalization through reducib ility ca n didat es as done by Dowek and Werner ( 20051 ). or 
through super consistency by Dowek ( 20071 ). This remains currently an open question 
whether proofs of the natural deduction modulo 'H'HAf lod normalize or not. 



5. Applications to proof-length speed-ups 

Because of Theorem 14.51 and Theorem 14.61 there is obviously no proof-length speed-up 
between Zi, FZ modulo HOi and modulo HHAf 1 ^. Furthermore, there exists a speed-up 
between all these and which can be decomposed as follow. 

5.1. Speed-up over compatible theories. In this section, we prove that there exists a 
speed-up between FZ modulo HOi and FZ plus any finite theory compatible with HOi. 
Theorem 12.31 makes it not surprising that, if we consider FZ plus a finite theory compatible 
with HOi, we get a speed-up with Zi (or with FZ modulo HOi). That shows the interest 
of using deduction modulo. 

Proposition 5.1. For all i, there is an infinite family T such that such that for all finite 
presentations Ti compatible with HOi, 

(1) for all P eJ, we have FZ, P 

(2) there is a fixed k € N such that for all P € T , we have FZ \ N k steps ^ P 

(3) there is no fixed k £ N such that for all P G T , we have FZ, Ti I k steps P 

Proof. As in the proof of Theorem 12.31 we nrs t consider the standard finite pr esentation 



HOi compatible with HOi, that is, axioms from QWS n qD to flWSyj P and axioms (Comp^ 



Consider the set of propositions corresponding to all instantiations of the comprehension 
schema (Comp 2-1 ). In FZ modulo HOi, these propositions can be proved in five steps as 
done in Fig. [3l Obviously, is not enough to prove all of them, so that (Comp*^ 1 ) has 
to be used in the proofs in FZ,HOi. Nevertheless, the term of sort c instantiated in it 
cannot have a bounded size. Then, the decomposition of this term using HOi cannot be 
done in a bounded number of steps. We then use Proposition 12.21 to extend this to any 
finite presentation compatible with HOi. □ 
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th order 1 st order • • • i th order i+l st order 



speed-up (Buss) 



proof-length 

speed-up (Buss) \ , 
r \ decreases 



Zi—\ \~ speed-up 

(Prop. [52} 



speed-up (Buss) \ FZ, Tj 



linear 
(Theo. 1431 

~HHA™ od FZ \~HOi -* — Zi h 



speed-up 
(Prop. [57X1 



linear 
(Theo. [4~el 

Figure 5: Speed-ups in higher-order arithmetic and deduction modulo 

5.2. Speed-up due to higher orders. It is also possible to get a speed-up between FZ 
plus any presentation compatible with %Oi and Zi-\. 

Proposition 5.2. For all i > 0, there is an infinite family T such that for all presentations 
Ti compatible with 1-iOi, 

(1) for all P G T , we have Zi-\ p- P 

(2) there is a fixed k € N such that for all P € J ' , we have FZ, Ti \ H k st P 

(3) there is no fixed k £ N such that for all P £ F, we have 1 ^. steps P 

Proof. If we look at Buss' proof of Theorem II. 1| the infinite family of propositions he use 
are of the form P{n) where Vn. P(n) can be proved in Zi whereas in Zi—\, P{n) can be 
proved, but not with less than n steps. So to get a speed-up it is sufficient to prove that 
Vn. P(n) can be proved in FZ plus Ti. which is the case because of The orem 14. 5 1 and (Dowek 
et al.. 120031 . Proposition 1.8). We also need Proposition 13.21 to show that if the length of 
the proofs in P was bounded, it would be the same in F*, hence a contradiction 
with Theorem ll.il □ 

The links between the different systems for higher-order arithmetic presented in this 
paper are summarized in Figure [5j 
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6. Conclusion and discussion 

In this paper, we have proposed a rigorous framework to study proof lengths in de- 
duction modulo, by imposing that proofs must be checkable in polynomial time. We have 
shown that even with this strict condition, proofs in deduction modulo can be arbitrarily 
shorter than proofs using axiomatizations. We have applied these ideas to study the length 
of proofs in higher-order arithmetic. We have encoded higher orders as a first-order rewrite 
system, and proved that proofs have the same length in higher-order arithmetic and in 
first-order arithmetic modulo this system. We have also defined a system for higher-order 
arithmetic without resorting to any axiom, where proofs can be checked in polynomial time 
and have the same length as in the higher-order axiomatization. All these results open 
interesting issues that we are now discussing. 

The first question that arises from this work is the definition of what should be con- 
sidered as a proof. Until recently, automated theorem provers only answered yes or no (or 
maybe), and if the prover was correct, this could be considered as a proof. Of course, the 
correction of such provers, often implemented using low-level tricks to increase the efficiency, 
is hard to prove. Therefore, many provers now generate certificates that can be checked in 
more trustworthy provers (such as proof assistants as Coq or Isabelle). These certificates 
can therefore be considered as proofs, although they may not contain every steps that would 
be included in an usual formal proof, but only the hints that make it possible to build the 
formal proof. This idea is also important for proof-carrying codes ( Necula . 19971 ): in this 



setting, the code of an application is distributed with a certificate proving its correctness. 
The user of the code can therefore check the correctness using the code and its certificates. 
It is crucial to have certificates that are small enough, because they are distributed with 
the code, but that can be checked efficiently, because such codes are often distributed to 
low-resource systems such as mobile phones. Here again, a tradeoff has to be found between 
the details present in the certificates and the complexity of their checking. In this paper, 
we have advocated that the natural criterion to define what a proof is, is that it can be 
feasibly checked. Of course, depending on the context, this criterion could be relaxed or 
strengthened. 

Another question concerns the role of computation in the speed-ups in higher-order 
arithmetic. We have proved, at least to some extend, that part of these speed-ups originates 
from the computation (Proposition 15. 1| ). However, it seems that what really makes proofs 
shorter is the fact to be able to reason about higher-order objects, even if they are encoded 
by first-order ones (Proposition I5.2[ ) . The real point of our results is that it is possible to 
use such finite first-order encodings while preserving the length of proofs, at the condition 
to work modulo some computation. 

Another point is that rewrite steps are not counted into the length of the proofs. How- 
ever, these steps have to be performed when searching for the proofs. We think that the 
speed-ups we obtained should not be considered as cheating, by hiding part of the proofs in 
the congruence. This must be thought of as a way to separate what is deduced and what is 
computed. To find a proof, both parts need to be built. To check the proof however, only 
the deductive part is necessary, because the rest can be effectively computed during the 
verification (hence the need to have a decidable congruence, even better if it can be decided 
in polynomial time). Note that it is also possible to obtain proof-length speed-ups even 
when counting the rewrite steps in the length of the proofs, as can be shown by transposing 
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a result of Bruscoli and Guglielmi ( 20091 ) where an exponential proof-length speed-up is 
achieved by applying deduction steps deeply inside propositions. 

These results are encouraging indicators that it is as good to work directly in higher- 
order logics, as is do ne in the current interactive theorem p rovers, such as Coq (http : / / coq. inria.fr/ ) 
and Isabelle/HOL ( Nipkow. Paulson, and Wenzell . |2002j), or using a first-order implemen- 
tation of these logics, as could be done in a proof a ssistant based on deduction modulo 
(or o n its sequel named superdeduction developed by iBrauner. Houtmann. and Kirchner , 
20071 ). It must also be proved that our results extend to the higher-order systems basing the 



interactive provers. This was partly achieved by proving that functional pure type systems 
can be encoded in superdeduction in a manner such that typing inferences in the pure type 
system are translated into proofs in superdeduction of the same length ( Burell . 20081 ) . It 
should al so be not iced th at in the expression of HOL in the sequen t calculus modulo f Dowek 
et al.. l200lh . the length of proofs are preserved too, although it was not highlighted by the 
authors. 



APPENDIX 

/ , [A] \ rA , 

Translation from Zi ^ to Z, T ^ B } = T A l n{ 

( m TT2 \ T(TTl) T(tT 2 ) 

u 



A A^B = , . a A^B 

1 ilMPl — „ 



7Tl VT2 

I I . A B 

A-i ■ 



A A B 



T(tt 2 ) 

. . B B^A^BtKl — . A=>A{[J ■ ■ ■ llPairl 

ilMPl — 1MP1 w 



T TTi ' ' . . A=>B (A => B) A => A A B) 

v ' IlMPl i - i - 

, . A 4 => (4 A B) 

1 ' A A B 

T(tt) 

iMPt ■ 



A-e -AAB_ ) = ^ A A B AAB^A^Q 



and similarly with | |Projr[ l for the other side. 

* V T(TT) 

, , ■ A ) = A A =>■ (A V B) dlSjTb 

and similarly with | |Inj r [ l for the other side. 

, [A] . [B] 

w AVB " 2{ C " 3{ C 
V-e 

T A 2 ) 

T sN ^pj a^c ... ESS 



T(7rx) , . B=>C* (B C) => (A V B) =>• C 

; IlMPl i - 1 - 

, , Ay B (4v6)=>C 

(MFJ i : 



2d 
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T (tt) {y/x}A =» fa/x}A P 

{y/x}A ) 1 {?//x}A {?//x}A =>■ Vx. A 

V -' M X . A I IMS 



Vx. A 



Note that the side conditions are satisfied. 

TT V T(TT) 

Vx. A ) I Vx. A Vx. A =>■ {t/x}A JUll 

\ T(tt) 
{t/x}A 1 {t/xjA It/xlA =>■ 3x. A (fETI) 



Ta (T2) 



_, . 7r 2 { „ \ ! t (ti) rR— {y/^}- 4 => -B 

3x. A B = llPartl ) 



3-e ^ / , , 3x. A <3x. A) => B 

b ) EB 

B 

Note that the side conditions are satisfied. 
classical ■ 



AV(A^_L) ) = AV(A^±)JTND} 



T(tt) 

A A =>■ (A A) =^ A (kJ 

(A^A)^i. ...jCTg^ 

1MB — (A^A)^A 



T (A) = A 



B =>■ C* 



/ , M [A] 
Ta[ 2 { * * 2{ B^C 



B => C 



C 

Ta (tt 2 ) T A (tti) 

ED =- JHB — 

1 ' . . B => A C (B^A^C)^A^A^C 



, . A=^A=^C ■■■ ifWt 

IMP! =- 

1 ' A^C 



, [A] [A] 

Ta| ^ B " 2{ C 
A-i - 



B AC 

Ta (tti) 

_!_ T A (tt 2 ) A => B (A => B) =>• (A => C) => A => (B A C) l|PaTr) 

. . A=>C ' 11 (A => C) => A =>■ (B A C) 

EB — 

A => (B A C) 

Ta(tt) 

/ 7r{ ' A ' A i . . A => (B A C) • • • jg 

Ta I fl _BAC = f o A ^^om— i ©0 



A-e- fl 



, M , (5AC)=>J3 fProjIt ((B A C) =» B) A =» B 



A=>B 

and similarly with ||Proj r [l for the other side. 
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Ta 



V-i ■ 



[A] 
B 



B VC* 



llMPl 



B=>(BVC) 



Ta (tt) 
A=> B 



(B) 



(B (B V C)) => A => (B V C) 



and similarly with ||Inj r p for the other side 



A => (B V C) 



Ta 



7Tl{ 



V-e 



[A] 
Bye 



7T2{ 



[A,B] 
D 



T3{ 



[A,C] 
D 



D 



Ta (tt 3 ) 



C => A D 



Ta (tt2) 

A => D 
B => A D 



l)Case[l 



(C => A =^ B) => (B V C) ^> A 



B 



l lMPl 



(ByC)^A^D 



Ta(ti) 
A =>• (B V C) 



(B) 



((BVC) 



D) 



D 



D 



ED 



D 



Ta 



V-i • 



[A] \ 
{y/x}B 

vs. b y 



iGcnt 



Ta W 
A =» fa/s}B 
A => Vs. B 



Note that the side conditions are satisfied. 
[A] 



Ta 



V-c - 



l lMPl 



Vs. B 
{t/s}B 

(Vs. B) => {t/x}B CCD 



Ta (tt) 
I => Vs. B 



((Vs. B) => {t/s}B) 



{t/s}B 



Ta 



V 



[4 

{t/s}B 
3s. B 



iMPt 



Ta 



IPartt ■ 
iMPl 



{t/x}B => 3s. B fEll) 



IMPt ■ 



{t/s}B 



Ta W 
A =>■ {t/s}B 



® 



({i/^}B =>■ 3s. B) 



3s. B 



A => 3s. B 



7Tl{ 

3-e 
T B 



3s. B 



[A,{j//s}B] 
C* 



Ta (T2) 
A^C 

{y/x}B A^C 



3s. B =s> A 



C 



Ta (tu) 
A 3s. B 



® 



(3s. B : 



• C) => A : 



c 



IMPt 



c 



lfW)l 



Note that the side conditions are satisfied 
[A] 



C 



B 



Ta W 
A=> _L 



(A => ±) => A B | |EFSQ| I 



B 



T A (A) = A A © 



26 



GUILLAUME BUREL 



T(tt) 

/7r\! D^4^ D ji7i lfthe assumption A is not actually 

A \ B ) ~ JMP1_? ^ used in tt. 

' ' A => B 

The definition of for =^>-i is not looping, because they are no longer =>-i in (tt). 
Nevertheless, this case impose use to define what means for a proof using the inference 
rules (jGenp and (jPartp . (The translation of (|MPp is already defined because (|MPp is equal 
to =>-e.) 



T.i 



\ B => Va. (7(a) / 

Ta (7r) roi 

,4 => B => C*(r) (A B =*> C(t)) => (A A B) =► C(r) 



lIMPl 



S (A A B) C(r) 



(A A B) => Va. C*(a) 
MB — - 



A => B => Va. (7(a) 

where tui is any proof of (^4 =>■ £ =>- C) =>• (A A jB) =>- C, and w 2 of ((A A B) => C) A =4> 
B =>■ C, using the axiom schemata (jl]) to (|PairP and the inference rule (jMPp . (Indeed, they 
are valid propositions of the intuitionistic propositional logic.) 



Ta 



( w [A] \ 

fPartt — 

V (3a.B(a))^C J 

Ta M 

>• B(r) =4> C* (A => B(r) => C) =>■ B(r) => A =► C iJCj 



llMPl 



. . B(r) =^ A => C 



, 3a. B a => A C • • • O 

MB — ■ — 

A 3a. B(a) C 
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